Threat Analyst Using RiskIQ PassiveTotal: A Day in the Life

July 5, 2017, Brian Chung

John is a tier-two threat analyst on a SOC team that consists of five analysts. John, whose team works for a public sector organization, uses RiskIQ PassiveTotal daily to aid his investigations of indicators of compromise (IOCs) with minimal false positives during incident response.

The team leverages the relationships between the highly connected data collected by RiskIQ inside the RiskIQ PassiveTotal platform, pivoting on its unique data sets to surface new connections, group similar attack activity, and substantiate assumptions for each IOC.

However, John’s team did not always use RiskIQ PassiveTotal.

Once upon a time, they used a manual, highly segmented workflow comprised of a cocktail of different tools. According to John, below is an example of what a typical incident response might have looked like for him in the pre-PassiveTotal days. We will use an IP from a recent event in which the Lazarus Group attacked Polish banking establishments as the example.

The IP 109[.]164[.]247[.]169 is flagged through IDS.

1. John logs into Domain Tools for IP WHOIS lookup, which provides WHOIS information such as the resolving host, WHOIS history, contract emails, and more:

Fig-1 WHOIS info inside DomainTools

2. In a separate tab, he opens Mnemonic for Passive DNS lookup, which pulls in domains resolving to the suspect IP:

Fig-2 DNS lookup inside Mnemonic

3. To see if there is any open source intelligence on the IP, he opens several tabs to search multiple sources, such as Phishtank, FireEye blog, Facebook, threat exchange, and more:

Fig-3 Various OSINT tools

4. Next, he opens up a new tab to check the domains he found in Mnemonic against hashes in VirusTotal:

Fig-4 Hashes inside VirusTotal

Through these steps, John was able to gather a good deal of knowledge about this IP—WHOIS information, passive DNS, OSINT, and hashes. If his initial research uncovers something interesting, John could spend more time on that area to dive deeper. Doing investigations this way can easily take anywhere from 10-15 minutes each, with up to six different sources.

Now, let’s take a look at what the same investigation would look like today, now that John and his team uses RiskIQ PassiveTotal.

The IP 109[.]164[.]247[.]169 is flagged through IDS.

1. John takes the flagged IP and queries it inside the RiskIQ PassiveTotal platform. Immediately, the WHOIS and passive DNS data are presented in a visual heat map.

2. Utilizing the heatmap, John can pinpoint and narrow down his investigation based on unique changes. All historical IP/Domain resolutions are displayed under resolutions allowing John to quickly observe all historical resolutions in a single view:

Fig-5 Querying the IP combines all six sources in the old method into one

3. John pivots from the domain under the ‘resolutions’ tab, which automatically will run a query on ‘sap[.]misapor[.]ch’:

Fig-6 Querying DNS data in RiskIQ PassiveTotal

The RiskIQ PassiveTotal interface displays detailed contextual information such as OSINT, RiskIQ proprietary BlackList, Malware and more, allowing John to stay inside of the platform to conduct his investigation further. The entire process is seamless and took less than a few minutes without ever having to leave the platform.

Fig-7 Data shows that threat analysts who use RiskIQ PassiveTotal save time

As seen above, by using RiskIQ PassiveTotal the time spent on this investigation was cut by more than half. On top of time savings, RiskIQ PassiveTotal aggregates data into one single view, so threat analysts like John no longer need to visit or subscribe to multiple sources.

In addition to the datasets presented above, RiskIQ PassiveTotal has many unique datasets derived from data captured during our virtual user crawling sessions. For example, the Host Pairs dataset is generated when RiskIQ crawling infrastructure identifies references or redirections on a page to other websites. By confirming that the attack originated from external sources, Host Pairs played a huge role in the investigation of Polish Bank hack when it showed that the malicious domain (sap[.]misapor[.]ch) was linked to a legitimate Polish bank via an iframe.

Below, you can see RiskIQ crawlers observed the KNF website pointing to two malicious URLS via an iframe:

About RiskIQ PassiveTotal for Threat Analysts

RiskIQ PassiveTotal’s ever-expanding data provides new context to adversaries’ infrastructure and now includes deeper monitoring capabilities. Security teams can be alerted in real-time to changes in DNS and domain resolution, WHOIS registration, and the appearance of other new keywords of interest. The latest release also includes a project workflow to quickly organize and group related threat infrastructure components found during investigations. This allows threat analysts and research teams to be more efficient and agile in their investigations. To try it for yourself, sign up for RiskIQ Community Today.